Hacker News new | ask | show | jobs
by donrhummy 5008 days ago
Can someone explain how this is distributed and not using a central "authority"? I know it caches things locally, but it still requires Mozilla's Persona.org servers, correct? And you need a password that Mozilla stores, so aren't their servers still vulnerable? And couldn't (dumb) people still choose "123456" as their persona password? I understand that this makes the sites with crappy security implementations better, but some of the weaknesses are still there, right?
2 comments
kumar303 5008 days ago
It's fully distributed because the identity provider is your email domain. When joe@gmail.com logs in, gmail.com could be the only server that the system interacts with! This is described here: https://developer.mozilla.org/en-US/docs/Persona/.well-known... Gmail may or may not choose to become an identity provider. That's ok too. In that case, a secure Mozilla server (with a sane privacy policy) will broker the email verification instead and thus can vouch for the user's identity.
link
tofumatt 5008 days ago
I believe the aim is to have email providers be able to auth your persona email instead of Mozilla, but Mozilla exists as a sort of polyfill if the provider (eg. hotmail.com, gmail.com, your-custom-domain.net) doesn't do persona yet.

Also, yes: people can still choose crummy passwords. Personally, I don't think the appeal is in better security; it's convenience of single sign-on without it being tied to a. identity or b. Facebook (or twitter or google or whatever other service that harvests my data).

link
donrhummy 5008 days ago
Right, but the email providers are only authenticating you to Persona. As far as the websites using Persona are concerned, it's persona.org that authenticates you.

And the appeal that Mozilla is pushing is definitely better security (as well as a distributed security authentication versus one for-profit authority - I definitely trust Mozilla MUCH more than Facebook or twitter, but it's still a central authority). You can especially see this in the talk they gave introducing it: http://www.youtube.com/watch?v=iZBTc7iEkQY

link
ozten 5008 days ago
As a website you can do local verification of the log in assertion.

Mozilla hosts a verifier as a convenience, but you don't have to use it.

link
donrhummy 5008 days ago
But the assertion only gets sent if the user logs in to persona first (with their email and persona password)
link
callahad 5008 days ago
Ah! Right. There is no Persona password if your email provider supports Persona natively. If your provider has native support, you only authenticate with them, and the site you're logging into sees a credential issued by your provider. Mozilla is completely out of the transaction in that case.

You can try this yourself with a demo identity provider we have at http://eyedee.me/

link